lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <3aa800bb9f664910da24d5cfe9507c07.squirrel@gameframe.net>
Date: Sun, 30 Oct 2011 16:49:20 +0200
From: nix@...roxylists.com
To: "Mark Andrews" <marka@....org>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: bind-9.8.1 remote code exec exploit?

>
> In message <c2122821abc4d89254092500a8814215.squirrel@...eframe.net>,
> nix@...ro
> xylists.com writes:
>> Hello list.
>>
>> I've source compile of BIND 9.8.1 on the server.
>>
>> I've been investigating weird iptables messages as follows:
>>
>> Oct 29 14:53:13 NIX kernel: IN= OUT=eth0 SRC=MY_SERVER_IP
>> DST=62.80.128.29
>> LEN=114 TOS=0x00 PREC=0x00 TTL=64 ID=31795 PROTO=UDP SPT=53 DPT=5060
>> LEN=94
>>
>> I received a message from my ISP abuse that my server is scanning SIP
>> port
>> 5060 and I set the firewall rule to deny/log all UDP connections out of
>> the box to port 5060 to get timestamps for further investigation. This
>> happened before I set the firewall rule.
>
> You are just blocking legitimate reply traffic.  Your ISP is probably
> misclassifying traffic it sees destined to port 5060.  Nameservers
> randomly pick source ports to make it harder for off path attackers
> to spoof reply packets and, unless something is already using port
> 5060, port 5060 is fair game.
>
> You can stop your own nameservers using 5060 as a query source port
> with avoid-v4-udp-ports but it doesn't do much to help with queries
> to you.
>
> 	avoid-v4-udp-ports { 5060; };
> 	avoid-v6-udp-ports { 5060; };
>
> You should also adjust your firewall to let packets sourced from
> port 53 on your nameservers to any port go through.  That way you
> won't get false positives.
>
> Mark
>
>> /var/log/named.log
>>
>> 05-Oct-2011 06:05:58.093 client: warning: client 81.25.53.2#5060: error
>> sending response: host unreachable
>> 07-Oct-2011 13:14:38.739 client: warning: client 221.210.153.6#5060:
>> error
>> sending response: host unreachable
>> 08-Oct-2011 00:43:22.881 client: warning: client 212.59.18.8#5060: error
>> sending response: host unreachable
>> 08-Oct-2011 13:42:58.943 client: warning: client 202.43.160.50#5060:
>> error
>> sending response: host unreachable
>> 12-Oct-2011 10:26:20.586 client: warning: client 213.77.43.115#5060:
>> error
>> sending response: host unreachable
>> 14-Oct-2011 15:42:12.676 client: warning: client 193.210.19.19#5060:
>> error
>> sending response: host unreachable
>> 15-Oct-2011 16:26:16.573 client: warning: client 202.44.204.36#5060:
>> error
>> sending response: host unreachable
>> 16-Oct-2011 20:52:44.570 client: warning: client 200.63.56.5#5060: error
>> sending response: host unreachable
>> 17-Oct-2011 01:48:49.617 client: warning: client 84.22.23.4#5060: error
>> sending response: host unreachable
>> 23-Oct-2011 12:34:26.255 client: warning: client 208.69.35.15#5060:
>> error
>> sending response: host unreachable
>> 25-Oct-2011 01:50:17.382 client: warning: client 84.88.226.10#5060:
>> error
>> sending response: host unreachable
>> 25-Oct-2011 15:23:51.384 client: warning: client 195.222.32.20#5060:
>> error
>> sending response: host unreachable
>> 29-Oct-2011 14:53:13.208 client: warning: client 62.80.128.29#5060:
>> error
>> sending response: host unreachable
>>
>> Timestamps matches exactly to kernel's firewall log. Every time BIND
>> error
>> log has the above entry, the box tries to scan for SIP port 5060.
>>
>> Is it possible to scan ports through BIND or exec code by sending a
>> specially crafted request?
>>
>> PS. I have been tracking this issue for a week and no other timestamps
>> matches exactly to this isssue. I have currently grsec' exec logging on
>> and hoping this issue occurs soon so I can see will it execute extra
>> code
>> under the user 'bind'.
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: marka@....org
>

Thanks everyone for clarification. The port scan issue I had with the
other host actually happened before I set up name server. At that time I
could not determine what is causing it and I left this issue alone due to
lot of other work.

Then I set a firewall rule to log/deny UDP port 5060. After wards I
installed name server on this server and started to see those iptables
messages and though that something is connection out of the box to port
5060 that should not.

I was not aware that BIND uses random ports and obviously 5060 as well.

Hopefully I explained clear enough what causes this confusion.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists